3385538142
nix: clean up flake outputs
...
Test / Create distribution (push) Successful in 25s
Test / Fpkg (push) Successful in 32s
Test / Fortify (push) Successful in 2m0s
Test / Data race detector (push) Successful in 2m32s
Test / Flake checks (push) Successful in 48s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-03-17 12:26:19 +09:00
2d4cabe786
nix: increase nixfmt max width
...
Test / Create distribution (push) Successful in 30s
Test / Fpkg (push) Successful in 36s
Test / Data race detector (push) Successful in 35s
Test / Fortify (push) Successful in 39s
Test / Flake checks (push) Successful in 50s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-28 14:43:46 +09:00
8bf162820b
nix: separate fsu from package
...
Test / Create distribution (push) Successful in 26s
Test / Run NixOS test (push) Successful in 7m25s
This appears to be the only way to build them with different configuration. This enables static linking in the main package.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-23 18:13:37 +09:00
6ae02e72fa
nix: test direct_wayland behaviour
...
Test / Create distribution (push) Successful in 47s
Test / Run NixOS test (push) Successful in 3m35s
This should never be used outside tests unless you absolutely know what you're doing or are using GNOME.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-15 10:45:27 +09:00
989fb5395f
nix: remove unused configuration
...
Test / Create distribution (push) Successful in 49s
Test / Run NixOS test (push) Successful in 3m30s
User setup no longer depends on userdb.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-02-15 10:10:42 +09:00
8d04dd72f1
nix: mount nvidia devices
...
Test / Create distribution (push) Successful in 1m43s
Test / Run NixOS test (push) Successful in 3m33s
These non-standard paths are required in the sandbox for nvidia drivers to work.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-25 18:05:18 +09:00
016da20443
nix: expose compat flag in nixos module
...
Test / Create distribution (push) Successful in 1m55s
Test / Run NixOS test (push) Successful in 4m6s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-25 12:42:48 +09:00
efacaa40fa
nix: set deny_devel correctly
...
Test / Create distribution (push) Successful in 1m55s
Test / Run NixOS test (push) Successful in 3m51s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-24 00:50:35 +09:00
96d5d8a396
nix: apply shared home config to reserved aid
...
Build / Create distribution (push) Successful in 2m16s
Test / Run NixOS test (push) Successful in 5m43s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-23 20:48:04 +09:00
8a00a83c71
nix: expose syscall filter policy
...
Build / Create distribution (push) Successful in 1m31s
Test / Run NixOS test (push) Successful in 1m52s
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-23 17:24:42 +09:00
134247b57d
nix: configure target users via nixos
...
Build / Create distribution (push) Successful in 2m0s
Test / Run NixOS test (push) Successful in 3m46s
This makes patching home-manager no longer necessary.
Signed-off-by: Ophestra <cat@gensokyo.uk >
2025-01-23 17:04:19 +09:00
4d3bd5338f
nix: implement flake checks
...
test / test (push) Successful in 36s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-16 20:54:28 +09:00
39e3ac3ccd
nix: require /etc/userdb nix-daemon
...
test / test (push) Successful in 36s
There seems to be some kind of credential caching in nix-daemon.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-07 21:07:57 +09:00
40cc8a68d1
nix: rename home directories
...
test / test (push) Successful in 38s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-12-07 20:15:37 +09:00
95668ac998
nix: expose no_new_session in module
...
test / test (push) Successful in 14s
Useful for shells and terminal programs like chat clients.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-28 00:19:06 +09:00
653d69da0a
nix: module descriptions
...
test / test (push) Successful in 24s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-19 18:10:57 +09:00
f8256137ae
nix: separate module options from implementation
...
test / test (push) Successful in 25s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-19 17:08:22 +09:00
54b47b0315
nix: copy pixmaps directory to share package
...
test / test (push) Successful in 21s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-18 14:46:08 +09:00
8f3f0c7bbf
nix: integrate dynamic users
...
test / test (push) Successful in 21s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-18 02:49:48 +09:00
1a09b55bd4
nix: remove portal paths from default
...
test / test (push) Successful in 27s
Despite presenting itself as a generic desktop integration interface, xdg-desktop portal is highly flatpak-centric and only supports flatpak and snap in practice. It is a significant attack surface to begin with as it is a privileged process which accepts input from unprivileged processes, and the lack of support for anything other than fortify also introduces various information leaks when exposed to fortify as it treats fortified programs as unsandboxed, privileged programs in many cases.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-10 22:24:17 +09:00
9a13b311ac
app/config: rename map_real_uid from use_real_uid
...
test / test (push) Successful in 19s
This option only changes mapped uid in the user namespace.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-09 12:01:34 +09:00
431aa32291
nix: remove absolute Exec paths
...
test / test (push) Successful in 26s
Absolute paths set for Exec causes the program to be launched as the privileged user.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-08 02:05:47 +09:00
ad80be721b
nix: improve start script
...
test / test (push) Successful in 23s
Zsh store path in shebang. Replace writeShellScript with writeScript since runtimeShell is not overridable.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-06 14:09:41 +09:00
4d90e73366
nix: generate strict sandbox configuration
...
test / test (push) Successful in 22s
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-11-06 04:25:15 +09:00
b9d5fe49cb
nix: pass $SHELL for shell interpreter
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-12 23:01:06 +09:00
8f03ddc3fa
app: remove bubblewrap launch method
...
Launch methods serve the primary purpose of setting UID in the init namespace, which bubblewrap does not do. Furthermore, all applications will start within a bubblewrap sandbox once it has been implemented.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-10-10 00:11:04 +09:00
3d963b9f67
nix: include package buildInputs in devShells
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-17 23:15:33 +09:00
d49b97b1d4
nix: pass method string directly
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-13 11:58:45 +09:00
88ac05be6d
nix: fix typo in nixos module implementation previously missed due to lazy eval
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-09 23:29:16 +09:00
396066de7b
nix: implement dbus-system option in nixos module
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-09 21:26:14 +09:00
0e5b85fd42
nix: implement new dbus options in nixos module
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-09 04:58:25 +09:00
60e4846542
nix: provide options for capability flags
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-08 02:45:00 +09:00
945cce2f5e
nix: implement nixos module
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe >
2024-09-04 17:03:21 +09:00
